Share

Hacker Eva Galperin Has a Plan to Eradicate Stalkerware

Eva Galperin, the head of the Electronic Frontier Foundation's Threat Lab, is taking on a long-neglected problem: spyware used for domestic abuse.

Phuc Pham

Over the last year, Eva Galperin says she's learned the signs: the survivors of domestic abuse who come to her describing how their tormentors seem to know everyone they've called, texted, and even what they discussed in their most private conversations. How their abusers seem to know where they've been and sometimes even turn up at those locations to menace them. How they flaunt photos mysteriously obtained from the victim's phone, sometimes using them for harassment or blackmail. And how none of the usual remedies to suspected hacking—changing passwords, setting up two-factor authentication—seem to help.

The reason those fixes don't work, in these cases, is because the abuser has deeply compromised the victim's phone itself. The stalker doesn't have to be a skilled hacker; they just need easily accessible consumer spyware and an opportunity to install it on their target's device. An entire industry of that so-called spouseware, or stalkerware, has grown in recent years, one that Galperin argues represents a deeply underestimated scourge of digital privacy.

"Full access to someone’s phone is essentially full access to someone’s mind," says Galperin, a security researcher who leads the Threat Lab of the digital civil liberties group the Electronic Frontier Foundation. "The people who end up with this software on their phones can become victims of physical abuse, of physical stalking. They get beaten. They can be killed. Their children can be kidnapped. It’s the small end of a very large, terrifying wedge."

"It starts with someone standing up and saying this is not OK, this is not acceptable, this is spying."

Eva Galperin, EFF

Now Galperin has a plan to end that scourge for good—or at least take a serious bite out of the industry. In a talk she is scheduled to give next week at the Kaspersky Security Analyst Summit in Singapore, Galperin will lay out a list of demands: First, she's calling on the antivirus industry to finally take the threat of stalkerware seriously, after years of negligence and inaction. She'll also ask Apple to take measures to protect iPhone users from stalkerware, given that the company doesn't allow antivirus apps into its App Store. Finally, and perhaps most drastically, she says she'll call on state and federal officials to use their prosecutorial powers to indict executives of stalkerware-selling companies on hacking charges. "It would be nice to see some of these companies shut down," she says. "It would be nice to see some people go to jail."

Ahead of her talk, Galperin has notched her first win: Russian security firm Kaspersky announced today that it will make a significant change to how its antivirus software treats stalkerware on Android phones, where it's far more common than on iPhones. Rather than merely flag those spy apps as suspect but label them with a confusing "not a virus" message, as it has for most breeds of stalkerware in the past, Kaspersky's software will now show its users an unmistakeable "privacy alert" for any of dozens of blacklisted apps, and then offer options to delete or quarantine them to cut off their access to sensitive information.

Prior to today, Kaspersky flagged stalkerware with the confusing label "not a virus," (left) compared with an unmistakeable "privacy alert" it will now display for the same spyware. (right)

Kaspersky

Galperin, who has been working directly with stalkerware victims, sees the Moscow-based firm's move as raising the bar for the entire security industry. Once one company begins to call out consumer spyware as a full-fledged security threat, she argues, competition will drive the other antivirus firms to meet that standard. The result, she hopes, will be a broader remedy to a security industry that has long underestimated stalkerware—often because security researchers don't count spy tools that require full access to a device as "real" hacking, despite domestic abusers in controlling relationships having exactly that sort of physical access to a partner's phone.

"Stalkerware is considered beneath the interest of most security researchers," Galperin says. "Changing norms takes time. But it starts with someone standing up and saying this is not OK, this is not acceptable, this is spying."

A Creepware Crackdown

Within the notoriously shoddy Android antivirus market, the numbers bear out the negligence of stalkerware that Galperin points to: A study last year by researchers at Cornell Tech, New York University, and the University of Washington looked at 70 known Android stalkerware apps and found that antivirus failed to detect a significant portion of those not found in the Google Play Store. Among well-known antivirus products, McAfee antivirus did the best job of those in the study, missing 10 percent of the apps; most others missed 25 to 40 percent. ESET, an otherwise reputable antivirus product, missed 85 percent. Google also allows some surveillance apps—often advertised as for tracking kids or stolen phones—in the Play Store itself; antivirus apps flagged virtually none of them.

"The whole industry hasn’t been looking at these apps seriously enough," says Alexey Firsh, a malware analyst for Kaspersky who worked on the company's new approach to consumer spyware. "Some pose as parent control or antitheft, but at the same time you see this software grabs all your browser history. That’s not normal, and it’s not OK."

Some in the security industry might look askance at Kaspersky's new anti-stalkerware evangelism. Kaspersky has faced accusations for years that it has ties to Russian intelligence agencies, which the company denies. The US banned Kaspersky software from official federal government use last year. But Galperin points out that fighting stalkerware is one situation where Kaspersky's alleged Kremlin ties aren't relevant. The Kaspersky users who worry about domestic abuser spying are rarely the same ones concerned with Russian intelligence.

"It's really about modeling your threat. Most victims of domestic violence don’t work for the NSA or the US government," she says. But she also sees Kaspersky's move as a lever she can use to apply pressure to the company's US competitors. "I recommend American antivirus companies catch up, so I can recommend them instead. Get up and do it yourself."

Hands-On With Hacking Victims

Galperin set off on this mission a year ago, when she discovered that a security researcher she knew personally—one who she declines to name—had secretly sexually abused a string of women. In at least one case, Galperin says, the abuser had threatened to hack a victim's devices as a means of control. With a series of revelatory investigative articles on stalkerware by the tech news site Motherboard in the back of her mind, she posted a message to Twitter: It invited any victims of sexual violence who had also been threatened with hacking to contact her for help.

That tweet, to Galperin's surprise, would end up taking over a significant portion of her life. It was retweeted nearly 10,000 times. Hundreds of domestic abuse victims, who either believed or feared their computers or phone might be hacked, contacted her over the months that followed. Galperin estimates that since then, she has devoted about a quarter of her work time to acting as a kind of one-woman IT help desk and therapist, assisting people in everything from checking phones for spyware to changing passwords to even checking out a Nest camera one victim believed was being used to spy on her. "I’ve called companies on their behalf. I‘ve helped them find attorneys," Galperin says. "I’ve sat there and held their hand and told them that everything is going to be OK."

Galperin found that actual stalkerware was installed on a victim's phone in only a small fraction of those cases; far more common were hacked accounts, or threats of hacking that never materialized. But stalkerware cases were often the most extreme, she says.

"The stories don't start with 'my phone is acting weird,'" says Dave Maass, another staffer for EFF's Threat Lab, who at one point helped Galperin sort through the flood of requests. "They start with 'someone beat me up, or raped me, or threatened my children.' Horrendous stories. Having the emotional fortitude to hear these stories, to probe them, is one of Eva's real strengths."

But within months, Galperin could tell that her work as a hands-on stalkerware first responder wouldn't scale. So she began looking for a different approach. "I looked at the entire problem, and I tried to think about what could create the most bang for the buck," she says. "If a victim can run antivirus and say 'you’re not on my phone,' that would mean a lot."

"We realized it was time for us to implement changes and deal with this real threat in a more aggressive way."

Alexey Firsh, Kaspersky

In March 2018, Galperin gave a talk at the Kaspersky Security Analyst Summit in Cancun, where she presented years of research tracking a likely Lebanese, state-sponsored hacking group known as Dark Caracal. During a coffee break at that beachside conference, she started speaking with Kaspersky researchers and executives about how they and the EFF might work together. In follow-up calls, she made the case for Kaspersky to plant its flag as the most stalkerware-unfriendly antivirus software in the world. The timing, in the wake of the announcement of Kaspersky's US government ban, was fortuitous. "It’s a good time to have things you’re asking Kaspersky to do," she says. "They desperately need a win right now."

Kaspersky's Firsh recalls that Galperin's nudging prompted the company to check its own malware statistics on stalkerware. It found more than 50,000 users with infected phones from just the previous year, all of which had been alerted only with an ambivalent "not a virus" warning. Kaspersky couldn't say just how many stalkerware applications it failed to detect altogether, of course, but the Cornell Tech, New York University, and University of Washington study put the company's miss rate for Android stalkerware installed from outside the Google Play store at 15 percent.

Combined with repeated reports of massively insecure storage of tracking data by stalkerware companies, Kaspersky decided to change its approach. Firsh ultimately credits Galperin's influence. "The Electronic Frontier Foundation inspired us to do this," he says. "We realized it was time for us to implement changes and deal with this real threat in a more aggressive way."

More Battles Ahead

For the last year, Galperin has helped hundreds of stalkerware victims hands-on, acting as a one-woman IT helpdesk, incident response team and sometimes therapist.

Phuc Pham

The full extent of that stalkerware crackdown will only prove out with time and testing, says Sam Havron, a Cornell researcher who worked on last year's spyware study. Much more work remains. He notes that domestic abuse victims can also be tracked with dual-use apps often overlooked by antivirus firms, like antitheft software Cerberus. Even innocent tools like Apple's Find My Friends and Google Maps' location-sharing features can be abused if they don't better communicate to users that they may have been secretly configured to share their location. "This is really exciting news," Havron says of Kaspersky's stalkerware change. "Hopefully it will spur the rest of the industry to follow suit. But it's just the very first thing."

Galperin isn't declaring victory either. In her talk at Kaspersky's Security Analyst Summit next week, she also plans to demand that Apple fix a problem that enables stalkerware. iPhones, she says, should alert users if they've been jailbroken—a technique that removes an iPhone's security restrictions so that users can install unofficial apps—which she says is the most common way stalkerware winds up on an iOS device. Determining if an iPhone has even been hacked in that manner has been a challenge for years, though the problem has been less severe in recent versions of iOS, for which jailbreak tools usually require the phone to be connected to a laptop and the process repeated every time the phone is rebooted. WIRED reached out to Apple for comment on Galperin's demand but didn't receive a response.

The third and perhaps most dramatic fight Galperin plans to pick in her SAS talk will be with law enforcement. She argues that existing computer crime laws like the Wiretap Act, the Computer Fraud and Abuse Act, and state-level two-party-consent recording laws apply to a significant fraction of stalkerware companies, which openly describe their products' intended use as secretly tracking cheating spouses or significant others. She names New York, California, and Washington as states where she believes attorneys general might be receptive to her calls for a crackdown. "Here are these companies. Here are the ways they’re already breaking the law," she says, summarizing her argument. "Have you considered prosecuting them? That would be cool."

Galperin admits her role is limited to a kind of strategic lobbying on behalf of stalkerware victims. But Kaspersky, at least, seems to have listened. And she hopes that may help tilt the battle against stalkerware in the right direction for other antivirus firms—and beyond. "Sometimes you get what you ask for," Galperin says. "This change means when I talk to victims of domestic abuse, I can tell them, yes, install antivirus. And it may actually do some good."